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Coin flipping is a cryptographic primitive in which two spatially separated players, who in principle 
do not trust each other, wish to establish a common random bit. If we limit ourselves to classical 
communication, this task requires either assumptions on the computational power of the players or 
it requires them to send messages to each other with sufficient simultaneity to force their complete 
independence. Without such assumptions, all classical protocols are so that one dishonest player has 
complete control over the outcome. If we use quantum communication, on the other hand, protocols 
have been introduced that limit the maximal bias that dishonest players can produce. However, those 
protocols would be very difficult to implement in practice because they are susceptible to realistic 
losses on the quantum channel between the players or in their quantum memory and measurement 
apparatus. In this paper, we introduce a novel quantum protocol and we prove that it is completely 
impervious to loss. The protocol is fair in the sense that either player has the same probability 
of success in cheating attempts at biasing the outcome of the coin flip. We also give explicit and 
optimal cheating strategies for both players. 

PACS numbers: 03.67.Dd, 03.67.Hk, 89.70.a. 



I. INTRODUCTION 

Coin flipping by telephone was first introduced with 
these words by Manuel Blum in 1981: "Alice and Bob 
[. . . ] have just divorced, live in different cities, want to 
decide who gets the car" [BJ. They agree that the best 
thing to do is to flip a coin, but neither of them trusts the 
other and they are unable to agree on a mutually trusted 
third party to do the flip for them. More generally, coin- 
flipping protocols (also known as "coin-tossing") can be 
used whenever two players need to pick a random bit 
even though it could be to the advantage of one of them 
(or perhaps both) to choose, or at least bias, the outcome 
of the protocol. 

The original coin-flipping protocol introduced by Blum 
is asynchronous in the sense that it consists of a sequence 
of rounds in which the two players alternate in sending 
messages to each other. The security of Blum's protocol 
depends on the assumed difficulty of factoring large num- 
bers. Such an assumption is of course of little value in 
our quantum world, owing to Peter Shor's algorithm [30] - 
but classical coin flipping can be based on more general 
one-way functions, which could potentially be immune 
to quantum attacks. Nevertheless, any coin-flipping pro- 
tocol that takes place by the asynchronous transmission 
of classical messages has the property that one of the 
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players has complete control over the outcome, given suf- 
ficient computing power. In the best case, such protocols 
can be computationally secure, and even that depends on 
unproven computational complexity assumptions. 

Unconditionally secure classical coin-flipping protocols 
are possible in the synchronous model, in which the play- 
ers are requested to send messages to each other with suf- 
ficient simultaneity to force their complete independence. 
Such protocols are called relativistic because special rela- 
tivity must be invoked to prevent Alice from waiting to 
receive Bob's message before choosing her own (and vice 
versa) . Relativistic protocols must be implemented care- 
fully because their security depends crucially on the phys- 
ical distance between the players, and either of them 
could try to fool the other by pretending to be farther 
away than they really are. Such cheating attempts can 
be thwarted if each player has a trusted agent near 
the other player [IS]. For the rest of this paper, we 
only consider asynchronous protocols and "coin-flipping 
protocol" will systematically mean "asynchronous coin- 
flipping protocol" . 

In quantum coin-flipping protocols, Alice and Bob are 
allowed to exchange quantum states. Such protocols 
were first investigated in 1984 by Charles H. Bennett 
and Gilles Brassard [4,. In that paper, a protocol was 
presented and it was shown that "ironically [it] can be 
subverted by use of a still subtler quantum phenomenon, 
the Einstein-Podolsky- Rosen paradox", making it the 
first use of entanglement [T3] in quantum cryptography. 
We shall refer to it henceforth as the "BB84 protocol" 
(not to be confused with the better-known quantum key 
distribution protocol introduced in the same paper). The 
question was left open: Can there be a perfect quantum 
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coin-flipping protocol? The proof that this is impossible 
was given more than a decade later by Hoi-Kwong Lo 
and Hoi Fung Chau [53], whose result was further clari- 
fied by Dominic Mayers, Louis Salvail and Yoshic Chiba- 
Kohno |25j . Nevertheless, if quantum coin-flipping pro- 
tocols cannot be perfect, can they at least be better than 
anything classically possible? 

To make this question more precise, we say that one 
player enjoys an e-bias if a cheating strategy exists by 
which that player could choose either bit and influence 
the outcome of the protocol to be that bit with prob- 
ability at least \ + e, assuming that the other player 
follows the protocol honestly. This definition is uncondi- 
tional in the sense that we allow the would-be cheater to 
enjoy unlimited computational power and a technology 
limited only by the laws of physics. The bias of a pro- 
tocol is the largest value of e so that at least one player 
enjoys an e-bias. A perfect protocol would be one whose 
bias is 0, but they cannot exist, classical or quantum. 
At the other end of the spectrum, a protocol whose bias 
is 0.5 is considered to be completely broken. All classical 
protocols are completely broken by this definition, and 
so is the BB84 quantum protocol. The question at the 
end of the previous paragraph was therefore: Is there a 
quantum coin-flipping protocol whose bias is strictly less 
than 0.5? 

The first such protocol was discovered in 2000 by 
Dorit Aharonov, Amnon Ta-Shma, Umesh Vazirani and 
Andrew C.-C. Yao [T], who proved that the bias of their 
protocol (ATVY) is at most y/2 — 1 < 0.42 (without any 
claim concerning the tightness of their bound). It was 
subsequently proven by Robert W. Spekkens and Terry 
Rudolph [32] that the ATVY protocol is even better 
than its inventors had thought: its bias is in fact exactly 
V2/4 < 0.36. In the same paper, Spekkens and Rudolph 
gave an amazingly simple coin-flipping protocol that 
achieves the same bias as well as another one whose 
bias is merely (v5 — l)/4 < 0.31. According to an earlier 
paper of theirs [31], that's the smallest bias possible for 
a coin-flipping protocol in which the quantum communi- 
cation is limited to a single qubit. 

Meanwhile, Andris Ambainis [2] and, independently, 
Spekkens and Rudolph |31j discovered quantum coin- 
flipping protocols whose bias 0.25 is even smaller, but 
they require the transmission of a qwtrit (or one qubit 
and two qutrits in the case of Spekkens and Rudolph). 
On the other hand, Alcxei Kitaev [ST] proved that no 
quantum coin-flipping protocol can have a bias below 
(a/2- l)/2 » 0.21. Very recently, Andre Chailloux 
and Iordanis Kerenidis [H] have announced a quantum 
coin-flipping protocol whose bias is arbitrarily close to 
Kitaev's bound, but it requires an unlimited number of 
rounds of interaction as it approaches this bound. 

Despite the theoretical success of quantum coin- 
flipping protocols, compared to classical protocols, severe 
practical problems inherent to their implementation have 
been discussed by Jonathan Barrett and Serge Massar [3J, 
who argued that quantum coin flipping is problematic in 



any realistic scenario in which noise and loss can occur in 
the processing (preparation, transmission and measure- 
ment) of quantum information. For this reason, they 
proposed random hit-string generation instead of single- 
shot coin flipping. However, this is not interesting from 
a quantum cryptographic perspective because the same 
goal can be achieved with purely classical means [8]. 

In a subsequent paper (NFPM) written in collabo- 
ration with Anh Tuan Nguyen, Julien Frison and Kien 
Phan Huy, Massar has defined a figure of merit on which 
quantum coin-flipping protocols can outperform any pos- 
sible classical protocol even in a realistic setting and they 
have verified their concept experimentally |27j . Even 
though their protocol is not broken in the presence of 
loss, however, Alice can choose the outcome with near 
certainty in a realistic setting. We claim that, in order 
to be of practical use, a protocol should be loss tolerant, 
which we define as being completely impervious to loss of 
quantum information. In this sense, the NFPM protocol 
is not loss tolerant because its bias increases asymptoti- 
cally towards 0.5 as losses become more and more severe, 
which is unavoidable in practice (with current technol- 
ogy) over increasing distance between Alice and Bob. 

In this paper, we concentrate on this most likely source 
of imperfection in actual implementations, namely losses. 
With the exception of the NFPM protocol mentioned 
above (which is not loss tolerant), all previously proposed 
quantum coin-flipping protocols become completely inse- 
cure even in the absence of noise as soon as the quan- 
tum channel between Alice and Bob is lossy. We intro- 
duce the first loss-tolerant quantum coin-flipping proto- 
col. We prove that our protocol is fair in the sense that 
either Alice or Bob can enjoy a bias of exactly 0.4 with an 
optimal cheating strategy, independently of the channel's 
transmission and other sources of losses, provided quan- 
tum information that is not lost is prepared, transmitted 
and measured faithfully. 

After this Introduction, the structure of the paper is 
as follows. We begin in Section [H] with a review of the 
original 1984 quantum coin-flipping protocol of Bennett 
and Brassard [1] and we explain why it is completely 
vulnerable to a so-called EPR-attack. This is interest- 
ing not only for historical reasons, but also because our 
novel loss-tolerant protocol follows the same template. 
Section |III| reviews perhaps the most famous of all quan- 
tum coin-flipping protocols, due to Ambainis |2J, whose 
theoretical bias is 0.25. However, we demonstrate in 
Section |IV| that the security of that protocol is com- 
pletely compromised in the presence of arbitrarily small 
channel loss. Moreover, we argue that this problem is 
inherent to the protocol in the sense that it cannot be 
repaired with small corrections. (The same would be 
true of the 0.25-bias qutrit-based coin-flipping protocol 
due to Spekkens and Rudolph [31] as well as of their 
optimal single-qubit protocol [32].) This is due to the 
notion of conclusive measurements, which we review in 
Section [V] We show in Section IVII how to combine the 
strengths of the original BB84 protocol with those of the 
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ATVY protocol (which is not loss tolerant either in its 
published form) to finally achieve loss tolerance in quan- 
tum coin flipping and we analyse the security of our pro- 
tocol. Conclusions and open problems arc presented in 
Section ELD 



II. THE BB84 PROTOCOL 

We review the original BB84 quantum coin-flipping 
protocol as well as the way it can be broken pQ. Here 
are the so-called BB84 states: 
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where |±) = (|0) ± \1))/V2. We say of \ip a>x ) that a is 
the basis and x is the bit. We define measurement bases 
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for a G {0, 1}. In the full BB84 quantum coin-flipping 
protocol [4], Alice would prepare and send Bob a large 
number of qubits, all in the same randomly chosen 
basis a. To emphasize the essential features of the pro- 
tocol, however, we outline below a simplified version in 
which a single qubit is used. 

1. Alice prepares one of the four BB84 states \ip ax ) 
with basis a and bit x chosen independently at ran- 
dom; she transmits that qubit to Bob. 

2. Bob chooses a random a G {0, 1} and measures the 
received qubit in basis Ba', let Bob's result be x. 

3. Bob sends a randomly chosen bit b to Alice. 

4. Alice reveals her original a and x to Bob. 

5. If a = a and x 7^ x, Bob aborts the protocol, calling 
Alice a cheater; if a 7^ a, Bob has no way to verify 
Alice's honesty. 

6. If Bob did not abort the protocol, the outcome of 
the coin flip is a © b, where "©" denotes the sum 
modulo 2 (also known as the "exclusive or"). 

In this protocol, Bob cannot cheat at all. The only 
strategy for a cheating Bob would be to make an edu- 
cated guess on Alice's choice of a before deciding on the b 
to send her at step [3] so as to bias the coin-flip outcome 
a © b. However, a corresponds to Alice's random choice 
of basis. Hence, the state p a received by Bob at step[T]is 
either p = ||0><0j + or Pl = i|+)<+| + ||-)(-|. 

It follows from the fact that po = p\ that it is impossible 
for Bob to guess the value of a better than at random. 

On the other hand, it is obvious that Alice can bias 
the protocol if she does not mind the risk of being 



called a cheater. The simplest approach is to be hon- 
est in the first step. When she receives b from Bob, 
the probability is 50% that she is happy with the out- 
come a © b, in which case she proceeds honestly with 
the protocol. On the other hand, if she is unhappy 
with a © b, she can lie on a at step [4] and send a ran- 
dom x. In that case, her probability of being caught 
is 25% since Bob chose a^a with probability 50%, in 
which case he obtained x x also with probability 50%. 
All counted, this allows her to enjoy a 0.375-bias. 
A slightly more interesting cheat is for her to send state 
(cos^)|0) + (sin^)|l) for a random fcG {1,3,5,7} at 
step [1] and declare the a that suits her wish (with the 
appropriately chosen x) at step El This allows her 
to enjoy a bias of \ cos 2 | = (2 + \/2)/8 > 0.42, with a 
probability \ sin 2 | = (2 - %/2)/8 < 8% of being called a 
cheater. It was to make the probability of undetected 
cheating exponentially small that the full BB84 protocol 
required the transmission and measurement of a large 
number of qubits 

A much more remarkable kind of cheating is possible 
for Alice, as explained in the same paper that introduced 
the BB84 protocol itself 4 , which allows her to break the 
protocol completely (i.e. enjoy a 0.5-bias) with no fear of 
ever being caught. Let us say she wishes the outcome of 
the coin flip to be bit c. Instead of sending a legitimate 
BB84 state or any other pure state at stepfl] Alice sends 
half an EPR pair = (|01) - |10))/v / 2 to Bob and 

keeps the other half for herself. She waits until step [3] 
when she learns Bob's choice of b, to measure in basis 
a = c © b the half she had kept; let x be her measurement 
outcome. This tells her that Bob has obtained (or will 
obtain, if he has not yet measured) x = 1 © a; in case 
he has measured (or will measure) in basis a. (Alice 
does not care about the value of x if Bob chooses to 
measure in the other basis.) Hence, she can always obtain 
her desired outcome by sending those a and x to Bob in 
step g] 

As subsequently discovered independently by Mayers 
|24] and by Lo and Chau |22j in the context of quantum 
bit commitment, this kind of cheating is always possi- 
ble for Alice in any quantum coin-flipping protocol that 
has the structure of the BB84 protocol, regardless of the 
actual set of quantum states, whenever the density ma- 
trices used to signal a = or a = 1 at step [T] are identi- 
cal (po = Pi)- This is due to the striking quantum pro- 
cess known as "remote steering" , discovered by Erwin 
Schrodinger [29] as early as 1936 and better known as 
the HJW Theorem [TB] . (See Ref . for an entertaining 
history of this theorem.) Note that the remote steering 
attack works just as well if Bob postpones his measure- 
ment until after Alice reveals a and x, and almost just as 
well if p and pi, although different, are exponentially in- 
distinguishable [14 . This last remark caused the demise 
of the bit commitment scheme proposed in Ref. [7] and 
we shall henceforth not differentiate between density ma- 
trices that are equal and those that are merely exponen- 
tially indistinguishable. 
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III. AMBAINIS' PROTOCOL 

In order to escape the remote steering attack, Ahar- 
onov, Ta-Shma, Vazirani and Yao [1] introduced a coin- 
flipping protocol in which po ^ p\. To reduce even fur- 
ther Alice's possible bias, they shuffled the order of 
steps [2] [3] and [4] so that Bob delays his measurement 
of Alice's supplied state until after she tells him what 
she claims to have sent. In this way, he can measure 
systematically in the declared basis rather than having 
to measure in a randomly chosen basis a whose out- 
come had probability 50% of being useless. This allowed 
ATVY to design a quantum coin-flipping protocol with 
bias %/2/4 < 0.36, as subsequently proven by Spekkens 
and Rudolph [51] . 

To achieve his smaller bias of 0.25, Ambainis used the 
following states on qutrits (rather than on qubits): 
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Again we say of \4>a,x) that a is the basis and x is the bit. 
This time, we define measurement bases 

B / . = {|0a,o) 1 Ki).|2-o)} 
for a G {0, 1}. Here is Ambainis' protocol. 

1. Alice prepares one of the four Ambainis states 
\4> a ,x) with basis a and bit x chosen independently 
at random; she transmits that qutrit to Bob, who 
stores it in his quantum memory. 

2. Bob sends a randomly chosen bit b to Alice. 

3. Alice reveals her original a and x to Bob. 

4. Bob takes Alice's qutrit out of quantum memory 
and measures it in basis B' a ; let Bob's result be x. 

5. If x ^ x, Bob aborts the protocol, calling Alice a 
cheater. 

6. If Bob did not abort the protocol, the outcome of 
the coin flip is a ffi b. 

Alice cannot use remote steering to gain complete con- 
trol over the outcome of the coin flip because the density 
matrices that could be received by Bob at step[TJ corre- 
sponding to her choice a of basis, 
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are distinct. It is easy to see that Alice can enjoy a 
0.25-bias if she sends state (2|0) ± |1) ± |2))/\/6 at step[l] 
and declares a and x appropriately at step [3] The proof 
that this is Alice's optimal cheating strategy is nontriv- 
ial but has been worked out in detail by Ambainis [2J. 
On the other hand, the fact that po =/= p\ makes it pos- 
sible for Bob to cheat by measuring Alice's qutrit before 
step [2j in order to learn information about a and bias 
his choice of b accordingly. The most obvious strategy 
for Bob is to measure Alice's qutrit in the computational 
basis {0, 1, 2}, which allows him to enjoy a 0.25-bias as 
well. The fact that this is Bob's optimal cheating strat- 
egy follows directly from Carl W. Hclstrom's optimal 
measurement theory |15j . which we review in Section [V] 
For completeness, we mention that the independently- 
discovered 0.25-bias quantum coin-flipping protocol of 
Spekkens and Rudolph [31] requires Alice to choose a 
random bit a, prepare a one-qubit-and-two-qutrit entan- 
gled state 
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and send Bob one of the two qutrits in step [T] Step [2] is 
the same as in Ambainis' protocol. In step [3] Alice sends 
the qubit and the other qutrit to Bob, which allows him 
to verify her honesty in step [4] by performing a POVM 
on the combined Alice-provided state whose outcome is 
either |r ), |Ti) or "Alice cheated". Again, the result of 
the coin flip is a © b provided Bob did not catch Alice 
cheating. The essential (but not sufficient) reason why 
this protocol gives the same bias as Ambainis' is that the 
density matrix p a received by Bob at step |T] i s exactly 
the same in both protocols, as given by Eq. fl2J. 



IV. A PRACTICAL VULNERABILITY 

Even though Ambainis' analysis of his protocol is 
mathematically impeccable, there is a practical problem 
that cannot be neglected if one is ever to implement such 
protocols in real life: there will be unavoidable losses 
in the quantum channel between Alice and Bob. This 
is true in particular if photons are used to carry quan- 
tum information and if the quantum channel is an optical 
fibre. Further losses are to be expected in Bob's quan- 
tum memory and detection apparatus. The situation is 
even worse for the 0.25-bias protocol of Spekkens and 
Rudolph because it requires both Alice and Bob to have 
quantum memory since they must store one qutrit each 
between steps [l] and [3] (there is no real need for Alice to 
store also the qubit since it contains only classical infor- 
mation) . Please remember that one of the main appeals 
of quantum cryptography, from its very beginnings [1], 
has been to offer protocols that can be implemented with 
current technology, yet remain secure against any poten- 
tially future attack so long as quantum mechanics is not 
violated. 
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It follows that there is a possibility 1 , when Bob tries 
to measure Alice's qutrit at step [3] of Ambainis' proto- 
col (or the one-qubit-two-qutrit system in the protocol of 
Spekkens and Rudolph), that he does not register any- 
thing even though both Alice and Bob have been entirely 
honest. How should Bob react in this case? He could 
hardly call Alice a cheater if the most likely cause for 
loss is in his own detectors! There seem to be only two 
reasonable responses from Bob, as pointed out already 
by Barrett and Massar 13] concerning a quantum coin- 
flipping protocol inspired by the quantum gambling pro- 
tocol of Won Young Hwang, Doyeol Ahn and Sung Woo 
Hwang [T7]: Bob can (1) accept Alice's declared a and x 
on faith or (2) request Alice to restart the coin-flipping 
protocol from scratch. But both these "solutions" are 
unacceptable. 

If Alice knows that Bob will believe her on faith in case 
he gets no detection signal, she can totally bias the coin 
flip with the most maddeningly simple cheating strat- 
egy: she does nothing at all during step [l] and lets Bob 
"store" the empty signal. 2 After having received Bob's 
choice of 6, she is then free to "reveal" whichever a would 
produce her desired outcome a © b. Since Bob's measure- 
ment of the empty signal will yield nothing at step [4] he 
has no other choice but to believe Alice on faith. 

On the other hand, if Alice and Bob have agreed to 
restart the coin-flipping protocol in case Bob does not 
detect anything at step|4j it is Bob who can totally bias 
the coin flip without any need to manipulate quantum 
states. Whenever he receives Alice's qutrit, he does noth- 
ing at all with it and sends his random choice of 6. If Alice 
reveals a at step [3] so that he is happy with outcome 
a © b, with probability 50%, Bob pretends to measure 
Alice's long-lost qutrit and claims to be satisfied with 
her honesty. But if he is not happy with the outcome, 
Bob simply tells Alice that he has not registered anything 
and requests a new instance of the protocol. This con- 
tinues until the outcome is to Bob's liking. This cheat- 
ing strategy cannot be detected by Alice whenever the 
expected probability p of registering an outcome when 
both Alice and Bob are honest is at most 50%, provided 
Bob asks to restart the protocol with probability 1 — 2p 
even when progressing to step [6] would have produced his 
desired outcome. 

Unless Bob has the technological ability to make sure 
he received a quantum state from Alice at step [T] without 
disturbing it, and because Alice will not accept to restart 
the protocol after she has revealed a and x, he has only 
one line of defence against her "send nothing" cheat- 
ing strategy: he must measure Alice's signal immedi- 



ately upon reception and be allowed to ask her to restart 
the protocol from scratch (with an independent random 
choice of state) until he actually registers a measurement 
outcome. This means that we must revert to the origi- 
nal BB84 template in which Bob measures before Alice 
reveals a and x. 

As explained at the beginning of Section |III[ this will 
make it easier for a cheating Alice to escape detec- 
tion since Bob's measurement can no longer depend on 
her claimed state. However, provided Bob chooses his 
measurement basis at random, he will carry out with 
probability 50% the same measurement he would have 
performed in Ambainis' original protocol. As we prove 



in Subsection VIA it follows that Bob's probability of 
catching Alice's eventual cheating is reduced, but not by 
more than a factor of 2, compared to the original proto- 
col. Hence, Alice's bias is at most 0.375 rather than 0.25. 
The important point is that this bias remains below 0.5. 

Nevertheless, this modification in Ambainis' protocol, 
which is made necessary by practical considerations (with 
current technology), reopens the door for Bob to com- 
pletely break the revised protocol! When Alice tells him 
she transmitted a qutrit, Bob measures it immediately 
in the computational basis {|0), |1), |2)}. If he obtains 
either |1) or |2), Bob knows Alice's choice of a. This 
allows him to choose b so that a © b suits his desired out- 
come. On the other hand, if Bob either obtains |0) or if 
he does not register anything, then he tells Alice that 
the transmission has been unsuccessful and he requests 
another qutrit from her. In effect, the protocol will pro- 
ceed to the step in which Bob sends his choice of b to Alice 
only when he already knows Alice's earlier choice of a. 
This means that Bob enjoys a bias of 0.5 and the pro- 
tocol is completely broken. To camouflage his chicanery 
(in case Alice might wonder why the measurement does 
not succeed more often), Bob can pretend at the outset 
that his detectors are half as efficient as they really arc. 
Alternatively, he could surreptitiously replace the quan- 
tum channel that links him to Alice with a sufficiently 
better one. 

This fatal flaw in any practical implementation of 
Ambainis' protocol comes from one simple consideration. 
Even though the mixed states po and p\ (see Eq. |2| used 
at step [T] by Alice to partially commit to cither a = or 
a = 1, respectively, are non-orthogonal, hence they can- 
not be distinguished with certainty by Bob all the time, 
they can be distinguished conclusively with positive prob- 
ability. After reviewing below the notion of conclusive 
measurements, we introduce our new protocol in Sec- 
tion [Vl] and prove that its bias is exactly 0.4 even when 
arbitrarily severe losses are taken into account. 



Actually, with current technology, it is more than a mere "pos- 
sibility": this will occur in the overwhelming majority of cases. 
2 It would be technologically very challenging for Bob to perform 
a so-called "non-demolition measurement" , which would in prin- 
ciple allow him to confirm the presence of a qutrit without dis- 
turbing its state. 



V. DIFFERENT TYPES OF MEASUREMENTS 

Consider two non-orthogonal density matrices po and 
Pi (they could be pure states). There are several figures 
of merit in measurements that attempt to distinguish 
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them [T3]. Helstrom has studied the optimal measure- 
ment to output a guess that minimizes the error proba- 
bility [15 . Assuming both p an( i Pi were equally likely 
a priori, Helstrom's measurement outputs the correct 
guess with probability 



where 



\ D(po,Pi) 



D (Po,Pi) = ^Trlpo - 



Pi\ 
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(4) 



is the trace distance between po and p±, "Tr" denotes the 
trace and \A\ = \J A^A. In particular, if A is a diagonal 
real matrix, then \A\ij = \Aij\. 

When the spans of po and p\ are distinct, there 
exists another type of measurement, known as conclu- 
sive measurement or Unambiguous State Discrimination 
(USD) [T2[THJ[2H]. These measurements have three pos- 
sible outcomes, "0", "1" and "?", the latter of which 
being called the inconclusive outcome. Whenever out- 
come a £ {0, 1} is obtained, it is guaranteed that the 
measured state was indeed p a (assuming of course that is 
was either po or p\ and that there were no experimental 
errors). Furthermore, the probability of obtaining a con- 
clusive outcome (not "?") must be strictly positive for 
either input state. 

A well-known example of conclusive measurement can 
distinguish between |0) and |+) with conclusive outcome 
probability 1 — l/\/2 > 29%. More to the point of our 
paper, the obvious measurement in computational basis 
{|0),J1), 1 2)} distinguishes between Ambainis' po and pi 
(Eq. [2]) with conclusive probability 50%. In general, any 
coin-flipping protocol that follows the template of BB84 
is vulnerable to the attack described in Section IIVI when 
a conclusive measurement exists between the correspond- 
ing po and pi. 

It is tempting to think that this line of attack will not 
apply when conclusive measurements do not exist. How- 
ever, this is not necessarily the case. Erika Andersson, 
Stephen M. Barnett, Anthony Chefles, Sarah Croke, 
Claire R. Gilson and John Jeffers have studied "Max- 
imum confidence quantum measurements" (MCQM), 
which somehow interpolate between Helstrom and con- 
clusive measurements [10l[TT]. Like conclusive measure- 
ments, MCQMs have some probability p < 1 of yielding 
the "?" inconclusive outcome. However, when the out- 
come is either "0" or "1" , it is correct with probabil- 
ity at least q > 0. Helstrom's measurement maximizes q 
subject to p = whereas conclusive measurements (when 
they exist) minimize p subject to q = 1. There can be 
a trade-off between those two probabilities in the sense 
that it is sometimes possible to achieve an increase in q 
(compared to the accuracy of Helstrom's measurement) 
by tolerating a larger p. 

The relevance of MCQMs is that Bob could use them 
to increase his coin-flip bias at the cost of increasing his 
probability of asking Alice to restart the protocol (pre- 



tending he has not registered an outcome). If MCQMs 
exist for q arbitrarily close to 1, Bob can come as near 
as he wants to choosing the coin-flip outcome, provided 
Alice has enough patience (naivety?) to accept restart- 
ing the protocol indefinitely until Bob tells her that he is 
ready to continue. 

To demonstrate that this is a legitimate worry, con- 
sider an (admittedly contrived) quantum coin-flipping 
protocol b ased on Ambainis' states (see the beginning 
of Section III I, except that we add | <^>o,2 ) = |2) and 
|0i,2) = In stepjl] Alice chooses basis a S {0, 1} at 
random with uniform probability, but x £ {0, 1, 2} is cho- 
sen so that Prob(x = 0) = Prob(a; = 1) = 49% whereas 
Prob(a; = 2) = 2%. The density matrix received by Bob 
would be cither 




or Pl 




These two mixed states cannot be distinguished conclu- 
sively. Nevertheless, a measurement in the computa- 
tional basis yields either |0), which is interpreted as the 
inconclusive outcome "?", or it yields either |1) or |2), 
which are interpreted as either p' or respectively. 
This MCQC is inconclusive with probability p — 49%. 
When it is not inconclusive, however, the verdict is 
correct with probability q — 0.49/0.51 > 96%. This is 
much better than Helstrom's measurement, which would 
always give an answer but be correct only with probabil- 
ity 73.5% since D(/3q,p' 1 ) = 0.47. Therefore, a quantum 
coin-flipping protocol that uses these states would allow 
Bob to enjoy a maximal theoretical bias of 0.235 if we 
did not take losses into account. However, Bob's bias 
becomes larger than 0.46 if Alice agrees to restart the 
protocol whenever he claims to have not registered an 
outcome, which he would do whenever his measurement 
outcome is the inconclusive |0). 



VI. A LOSS-TOLERANT PROTOCOL 

Now, we introduce our novel quantum coin-flipping 
protocol and we prove that its bias is exactly 0.4, regard- 
less of the extent of losses that are unavoidable with cur- 
rent technology. For this, we use the states introduced 
by ATVY in their protocol pQ but revert to the original 
BB84 template [3]- Consider the states 



l^i,o) 

l^o,i) 
l^i, 1) 



= a\0)+p\l) 
= a|0)-/3|l> 

= /3|0)-a|l) 
= /3|0) + a|l) 



x = 



x = 1 



where a and (5 are real numbers such that 1 > a > (3 > 
and a 2 + [3 2 = 1. See Fig. [I] As always, we say of \tp a ,x) 
that a is the basis and x is the bit. We define measure- 
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outcome; and (3) the final coin-flip result is x < 
than affib. 



b rather 



FIG. 1: Quantum states used in loss-tolerant protocol. 
States such as |(/>o,o) = «|0) + /3|1) are represented in the real 
Cartesian plane by a line between the origin and point (a, 13). 



ment bases mutatis mutandis as we had done in Eq. ([I]) 
for the BB84 states: 



B2={Ko>,Ki» 



(5) 



for a G {0, 1}. We shall soon see why we have regrouped 
the states according to the value of x rather than that 
of a as we had done previously. Here is our loss-tolerant 
quantum coin-flipping protocol. 

1. Alice prepares one of the four states \<p a .x) with 
basis a and bit x chosen independently at random; 
she transmits that qubit to Bob. 

2. Bob chooses a random a G {0, 1} and measures the 
received qubit in basis B'~. If his apparatus does not 
register an outcome, he requests Alice to start over 
at step [T] otherwise, let the measurement result 
be x. 

3. Bob sends a randomly chosen bit b to Alice. 

4. Alice reveals her original a and x to Bob. 

5. If a = a and x ^ x, Bob aborts the protocol, calling 
Alice a cheater; if a ^ a, Bob has no way to verify 
Alice's honesty. 

6. If Bob did not abort the protocol, the outcome of 
the coin flip is x b. 

There are three differences, compared to the original 
BB84 protocol described in Section [TT (1) in addition 
to having been globally rotated to facilitate subsequent 
analysis, the states used are more general in the sense 
that bases B' ' and B'{ need not be mutually unbiased; 
(2) step [2] allows Bob to ask Alice to restart the protocol 
in case his measurement apparatus fails to register an 



The first modification will allow us to fine-tune the 
protocol in Subsection |VI C| The second modification 
makes it possible for the protocol to be loss tolerant 
as we have explained in Section |IV| The effect of the 
third modification, which corresponds to the main orig- 
inal contribution of the ATVY protocol, is that two dis- 
tinct density matrices go and Q\ (see below) are now used 
by Alice to partially commit to either x = or x = 1 
by the transmission of \ f a .x) a t step [I] with a randomly 
chosen a. 



00 = ||vo,oX¥'Q,o| + \\<Pi,o){vifi\ = 
and 

01 = 1 1^0,1X^0,1 1 + ||vi,iXvi,il = 



a 2 

p 2 

I3 2 

a 2 



(6) 



In sharp contrast, the intuition behind the original 
BB84 protocol was for Alice to "commit" to either a = 
or a — 1 with a randomly chosen x, but that was doomed 
by Schrodinger's remote steering process because the cor- 
responding density matrices were equal. 



Furthermore, we shall sec in Subsection VI B that, con- 



trary to the mixed states po and p\ used in Ambainis' 
protocol (see Eq.|2|, this time go and gi cannot be distin- 
guished conclusively, nor even by a maximum confidence 
quantum measurement better than Helstrom's measure- 
ment, which is the key to loss tolerance. 

Although we have presented our protocol as a mod- 
ification of the original BB84 protocol, it is useful for 
analysis purposes to contrast it also with the ATVY pro- 
tocol. The key difference between the ATVY protocol 
and ours is that they chose to introduce a new template 
(used in most subsequent protocols such as Ambainis') 
in which Bob stores the quantum state sent by Alice 
at step [T] in order to delay measurement until Alice 
has given him its classical description. The intention 
was to make it harder for Alice to cheat because Bob 
would know to measure the state in basis B" rather than 
having to choose a random basis B'[. Unfortunately, as 
we have explained, it was this feature that made their 
protocol incapable of tolerating channel loss unless Bob 
has the technological ability to detect if a signal has 
been received by Alice without otherwise disturbing its 
state. 

Next, we prove that the maximum biases that Alice 
and Bob can enjoy are 



ea = (1 + 2a/3)/4 and e B 



1/2. 



respectively, and we give explicit cheating strategies to 
achieve those biases. We conclude that the choice of a 
and (3 that makes those two biases equal corresponds to 
a fair protocol whose bias is 0.4. 
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A. Alice's optimal cheating strategy 

It would be relatively easy to determine Alice's opti- 
mal cheating strategy were she restricted to sending some 
pure state to Bob in the first step of the protocol. How- 
ever, we have learned from the demise of the original 
BB84 protocol U that it might be to her dishonest 
advantage to prepare an entangled state, send one qubit 
from it to Bob at step [I] and wait until Bob's announce- 
ment of b at step [3j to measure in the most informative 
way what she had kept. This could increase her chances 
of deciding on her best choice of a and x to "reveal" at 
step [4] in order to maximize her probability of success- 
fully biasing the coin flip. It is significantly more com- 
plicated to take all possible such strategies into account. 
Fortunately, most of the work has already been done by 
Spekkens and Rudolph in their thorough analysis of the 
ATVY protocol [3J- 

Let us begin our analysis by briefly pretending that 
Bob does not measure the state Alice has sent him until 
after she reveals her choice of basis and bit, and that he 
measures it in that basis. As we have already pointed 
out, this becomes the ATVY protocol. It follows directly 
from the analysis of Spekkens and Rudolph [choosing 
what they call 9 in their Eq. (20) so that cos 9 — a and 
sin 9 = j3] that any cheating strategy Alice may deploy 
gives her bias 



, sin 29 

e A < — - — = sin 9 cos 9 
a - 2 



a/3. 



(7) 



Now, to analyse our protocol, we must take into 
account the fact that we require Bob to measure Alice's 
state before she tells him what she claims to have sent. 
(This is how we make our protocol loss tolerant.) This 
difference makes it easier for Alice to cheat because Bob's 
measurement cannot be chosen to maximize his probabil- 
ity of discriminating between her claimed state and any 
other state that she might have sent instead. However, as 
we show below, this modification does not reduce Bob's 
probability of catching Alice cheating by more than a 
factor of 2. 

Recall that Bob is required by step [3j of the protocol 
to send a random choice of b, which must be uncorre- 
cted with his former choice a of measurement and its 
outcome x. The crucial observation is that the random- 
ness of b deprives Alice from any information she might 
otherwise have obtained from Bob concerning a and x. 
(The importance of this observation is illustrated in Sec- 
tion VI D ) It follows that her choice of which a and x to 
declare at step|4]cannot depend on what has happened at 
Bob's after she transmitted her quantum state at step[l] 
In particular, a — a with probability 50% since a is cho- 
sen at random by an honest Bob, in which case he has 
chosen by chance at step [2] precisely the measurement 
he would have performed in the ATVY protocol, had he 
been allowed to wait until Alice's announcement of a and 
x before deciding on his measurement. 



The above implies that any cheating strategy that 
Alice might deploy against our protocol translates into 
an identical cheating strategy against the ATVY proto- 
col, possibly with a different success probability, since 
it makes no measurable difference to Alice whether Bob 
measures before (as in our protocol) or after (as in the 
ATVY protocol) she has to declare a and x. Now, con- 
sider an arbitrary cheating strategy on the part of Alice 
and let ea (resp. e' A ) be the bias that she enjoys with this 
strategy against our protocol (resp. the ATVY protocol). 

Consider an arbitrary run of our protocol, when Alice 
uses this cheating strategy. With probability 50%, inde- 
pendently from anything else, Bob randomly chooses 
the same measurement he would have performed in the 
ATVY protocol, in which case Alice succeeds with prob- 
ability \ + e' A . In the other 50% of the cases, Bob cannot 
verify the state Alice claims to have sent and the proba- 
bility that Alice succeeds is at most 1. All counted, the 
success probability of Alice in our protocol is 



EA < 



X 1 = 



2 £ A 



It follows that 



£A < 



l + 2e' A 1 + 2a(3 



< 



(8) 



where the last inequality follows from Eq. 

We now proceed to show that this bound can be 
saturated. Surprisingly (when we recall the demise of 
the BB84 quantum coin-flipping protocol), the optimal 
cheating strategy for Alice does not require her to pre- 
pare an entangled state from which she would send one 
qubit at step[l] Instead, it suffices for her to send either 
|+) = (|0) + |l))A/2or |-) = (|0) - |l))/V2toBob. Let 
us say she sent |+) (the other case is similar) and received 
bit b from Bob at step [3] If her desired outcome is c, she 
sets x — c(Bb and claims at step [4] to have sent \(p x ,x) 
at step[l] With probability 50%, Bob had already cho- 
sen a =/= x, in which case he cannot catch Alice cheat- 
ing. With complementary probability 50%, he had cho- 
sen a = x, in which case Alice escapes detection with 
probability 



K+l^)| 2 = (>+^/3 



a(3 



(the last equality is because a 2 + (3 2 = 1). Putting it all 
together, Alice obtains her desired outcome with proba- 
bility 

1 1/1 a \ 3 + 2a/3 
- + -[-+ a8]= - 

2 2 V2 J 4 

and her bias is therefore 

_ 3 + 2a(3 1 _ 1 + 2a(3 
£A ~ ~ 2 " ' 

which saturates the bound given in Eq. (pi. 
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B. Bob's optimal cheating strategy 

In the analysis of Bob's bias in quantum coin-flipping 
protocols, it is usual to apply Eqs. p]) and Q to com- 
pute the trace distance D(qq, Qi) — or — /3 2 — 2a 2 — 1 in 
order to determine that the optimal Helstrom measure- 
ment that Bob could perform to best guess Alice's com- 
mitted bit (here, x) gives him the correct answer with 
probability a 2 . From this, we would "normally" conclude 
that Bob's maximal bias is a 2 — 1/2. 

As we have seen, however, this approach is not appro- 
priate in our context because it does not take into account 
the eventual possibility for Bob to increase his bias 
by making conclusive or maximum confidence quantum 
measurements on the state sent by Alice at step [T] so 
that he could ask her to restart the protocol whenever he 
is not sufficiently satisfied with the probability that his 
guess of x be correct. 

Fortunately, the analysis of Bob's optimal cheating 
strategy is straightforward in this case. For either value 
of x G {0, 1} that Alice may have chosen in step[l] Eq. ([6| 
shows the mixed state g x that Bob would receive from 
her. The key observation is that, algebraically speak- 
ing, g = a 2 \0)(0\ + /3 2 |1)<1| and Ql = /3 2 |0)<0| + a 2 |l)(l|. 
It follows that, from a cheating Bob's perspective, whose 
only concern is in guessing x as best as possible (includ- 
ing the possibility of asking Alice to restart the proto- 
col if he is not satisfied with his own confidence in his 
guess), this is strictly identical to an alternative scenario 
in which Alice would have sent |0) with probability a 2 
or |1) with probability ft 2 in case x — 0, and vice versa 
in case x = 1. In other words, this is exactly as if Alice 
had communicated her choice of x to Bob as the purely 
classical signal \x) through a binary symmetric channel 
with error probability (3 2 . 

Seen this way, there is nothing quantum about the 
situation. Hence, a complete measurement in the com- 
putational basis of the state received by Alice provides 
Bob with an optimal cheating strategy since it yields 
all the information classically available in the "quan- 
tum" signal! Not surprisingly, this is indeed precisely 
Hclstrom's measurement. In particular, the outcome 
of this measurement does not give Bob any indication 
on whether or not it would be to his advantage to ask 
Alice to restart the protocol. (Note that it is not sim- 
ply because Alice's signal can be thought of as classi- 
cal that there cannot be a conclusive or a maximum 
confidence measurement; in particular, erasure chan- 
nels provide the classical equivalent to quantum con- 
clusive measurements — but binary symmetric channels 
don't.) 

To summarize, Bob's optimal cheating strategy is to 
measure Alice's qubit in the computational basis in 
order to learn the value of x with error probability /3 2 . 
This allows him to choose b appropriately and obtain 
his desired outcome x © b with complementary probabil- 
ity a 2 , thus enjoying his optimal bias eb — a 2 — 1/2. 



C. A fair protocol 

In this subsection, we find the value of a so that the 
bias either player can achieve by cheating is the same. 
We simply need to fulfil the condition 

£A = £b , 

which for our protocol amounts to 

1 + 2a/3 2 1 
— — =a ~2> 

subject to a 2 + f3 2 = 1. Solving this system yields 

a = VK9 and (3 = VOA , 

as illustrated in Fig. [I] These values correspond to 

e A = e B = 0.4 , 

which defines a fair loss-tolerant quantum coin-flipping 
protocol whose bias is 0.4. In other words, either player 
can obtain a desired outcome with probability 90% by 
using an optimal cheating strategy, provided of course 
the other player is honest. But what if they both try to 
cheat? 



D. The cunning game 

An interesting phenomenon is illustrated if we take the 
unusual step of considering the case when both Alice and 
Bob cheat. The most obvious example of double-cheating 
occurs when Alice is convinced that Bob is so greedy 
that he will try his best to control the coin flip. In this 
case, Alice can send an honest quantum state in step [l] 
To maximize his chances of guessing Alice's choice of x, 
Bob measures the state in the computational basis, as 
we have seen. This allows him to send Alice a value 
of b that produces his desired outcome with probability 
90% (assuming they use the fair version of the protocol) . 
But at the same time, he has lost his ability to verify 
the honesty of Alice since he did not measure her qubit 
in a legitimate basis. Suspecting this, Alice is free to 
claim whatever suits her best at step |4j probably lying 
about x, and Bob cannot look her in the face and call 
her a cheater! 

For an amusing variation on this theme, consider what 
happens if both parties attempt to perform their optimal 
cheating strategies simultaneously. In this case, Alice 
sends either |+) or |— ), which Bob measures in basis 
{|0), |1)}. When Bob attempts influencing the coin flip 
by choosing 6 as a function of his measurement outcome, 
little docs he suspect that his choice is in fact totally ran- 
dom: ironically, Bob follows the honest protocol at step|3] 

For a more subtle example, consider a scenario accord- 
ing to which Bob is Alice's young son. They agree to 
flip a quantum coin to determine who will decide on the 



10 



film to be seen tonight: Alice will have the choice if the 
outcome is 1 and Bob if it is 0. Alice knows that her 
little rascal will do his best to cheat and win, but also 
that he will follow step [2] properly (rather than measur- 
ing in the computational basis) because he will not want 
to relinquish his possibility to catch his mother cheat- 
ing at verification step [5] — or so he thinks. Hence, Bob's 
cheating will consist in sending b — x at step [3j instead of 
choosing b at random. After a calculation, we find that 
this gives him probability 82% that b = x, thus producing 
his winning outcome x b = 0. 

Unbeknownst to Bob, however, his mother wants him 
to win, but she does not wish him to know this for fear of 
undermining her authority! Assuming she knows her son 
as well as she thinks, she proceeds as follows. At step [T] 
she honestly sends some random state \ip a ,x)- When she 
receives Bob's choice of b at step [3] there are two pos- 
sibilities. If b = x, she can relax and continue honestly 
since Bob wins, according to her wish. On the other 
hand, if b ^ x, then Alice can deduce that Bob used the 
wrong basis in his measurement: a =/= a. This allows her 
to "reveal" a together with any x of her choice at step [4] 
since she knows (or suspects) that Bob will be unable to 
call her a cheater. According to our story, she chooses 
x, = b to make Bob happy. 

Admittedly, the above tale is unlikely at best. Never- 
theless, it serves the purpose of demonstrating the im- 
portance in our proof of security against Alice (Subsec- 
tion fVIA I that Bob's bit b be chosen randomly despite 



the fact that he has significant information about Alice's 
x after an honest measurement at step [2] Indeed, our 
proof relied in a crucial way on the fact that Alice would 
have no information on the measurement basis used by 
Bob. Our tale shows how wrong and damaging it would 
have been had the protocol asked an honest Bob to send 
a b correlated to his measurement outcome. 



E. Side channels 

We have seen that Bob could exploit the loss of quan- 
tum information to cheat in previous protocols, whereas 
our protocol is loss tolerant. Nevertheless, our proto- 
col could become susceptible to loss if it were imple- 
mented with insufficient care. A side channel is any 
source of information that Bob could exploit about the 
quantum state sent by Alice above and beyond its theo- 
retical definition as a pure qubit. For example, the proto- 
col would be obviously insecure if the apparatus used by 
Alice to generate her quantum states produced each of 
the four legitimate states as photons of significantly dif- 
ferent wavelengths or spatial position. These issues have 
been studied extensively in the context of quantum key 
distribution. See Rcf. [33 for a compelling example of 
successful hacking of a commercially available apparatus. 

An interesting example of side channel would occur in 
a careless implementation of our quantum coin-flipping 
protocol if Alice used an attenuated laser pulse to gener- 



ate her states, as is done in most current implementations 
of quantum key distribution. The problem stems from 
the fact that one can distinguish conclusively between g () 
and Q\ (Eq. |6| when a pulse consists of two (or more) 
identical ATVY states. For this, it suffices for Bob to 
measure one photon in basis Bq and the other in basis B'{ 
(Eq. |5|. If the two measurements produce the same 
outcome, this is necessarily the correct bit x encoded 
by Alice since one of the measurement has been per- 
formed in the correct basis. This occurs with probability 
(a 2 — (3 2 ) 2 . With the fair states, Bob's probability of 
conclusive outcome is therefore a substantial 64% each 
time a pulse contains two photons, which means that 
this implementation of the protocol is completely inse- 
cure because Bob can request another state from Alice 
until this event occurs. 

To make the case of attenuated laser pulses even 
worse, a perfectly natural measurement apparatus that 
an honest Bob could use in the implementation of our 
protocol [5] would produce such conclusive outcome with 
half the probability derived above, namely 32% of the 
double-photon pulses. It follows that Bob, who started 
the protocol with pure intentions, might find it difficult to 
resist sliding to the dark side when his (honest!) measure- 
ment apparatus reveals with certainty the value of x cho- 
sen by Alice. A practical solution to this problem is for 
Alice to use a source of entangled photons, as discussed 
in Ref. [5]. 



VII. CONCLUSION 

Quantum coin flipping is a cryptographic primitive 
that has been studied extensively. Several approaches 
have been considered since the very beginnings of quan- 
tum cryptography. However, previous protocols are 
either totally insecure [I], or they are highly sensitive to 
(if not completely broken by) technologically unavoidably 
losses of quantum information on the channel between 
the players or in their storage and detection appara- 
tus |I1 [23 [3U In this paper, we introduced the 
first loss-tolerant quantum coin-flipping protocol, which 
means that it is completely impervious to such losses. 
We proved that our protocol is fair in the sense that both 
Alice and Bob have an optimal cheating strategy capable 
of producing their desired outcome with 90% probability 
of success (assuming the other player is honest) and we 
provided those strategies explicitly. 

Even though our protocol can tolerate arbitrary loss 
of quantum information, it would fail in case of noise 
because it would be impossible for Bob to know, in case 
of a mismatch between his measurement outcome and 
Alice's claimed state, if that is due to a genuine error 
(on his part or Alice's) or to Alice's dishonesty. Recall 
that this may be unavoidable; indeed Barrett and Massar 
have argued that single-shot quantum coin-flipping pro- 
tocols are problematic when both noise and loss can 
occur [3J. 



11 



If secure single-shot quantum coin-flipping protocols 
are indeed impossible in the presence of noise, is there 
something useful that quantum coin flipping can do above 
and beyond anything classically possible? We already 
know that random bit-string generation [5] is not the 
answer given that it can be done classically [8]. We are 
currently investigating this issue |5J along a different line 
from that proposed in Ref. [27]. 

Another open question concerns the optimality of our 
protocol. Could there be a loss-tolerant quantum coin- 
flipping protocol whose bias is smaller than 0.4? Alter- 
natively can we prove that 0.4 is the smallest bias pos- 
sible among all loss-tolerant quantum coin-flipping pro- 
tocols? Finally, we mention that this paper was entirely 
concerned with the task known as strong coin flipping. 
There exists a similar task, weak coin flipping, in which 
only one outcome is favourable for Alice, the other out- 
come being the only one favourable for Bob. Protocols 
with arbitrarily small bias are known to exist for weak 
coin flipping in stark contrast with Kitaev's lower 
bound for the strong case [21] ■ Can loss-tolerant quan- 
tum weak coin-flipping protocols exist with arbitrarily 
small bias? This question will be addressed in a subse- 
quent paper. 

We have recently implemented our own loss-tolerant 
protocol and we have successfully tested it against Alice's 
and Bob's optimal cheating strategies. We report on 
those experiments elsewhere [5]. This was in a sense 
going full circle because it was our wish to implement 



Ambainis' quantum coin-flipping protocol that lead to 
the realization that we could never succeed and thus to 
the development of our new protocol. 
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